wannacry | 462083a9b81e8eec6f13754f3d0029cd219a595b320240d2eb8f30d9e5337ed1

General

Target

27b1909032fd61c8538946b80e1196d7_JaffaCakes118.dll
Size

5.0MB
MD5

27b1909032fd61c8538946b80e1196d7
SHA1

068db3c25da3037222a410cdbfa4582daaff7187
SHA256

462083a9b81e8eec6f13754f3d0029cd219a595b320240d2eb8f30d9e5337ed1
SHA512

f22324929c57c480d1d854962f49e74fb03ab8d676fb3b4e2ea674cdaa4f97580251ba6d7eace1c814fdf4e9665ef45fe5c8d24c8c6ff937c67decd54e90a700
SSDEEP

49152:SnAQqMSPbcBVlvxJM0H9PAMEcaEau3R8yAH1plAH:+DqPoBDxWa9P593R8yAVp2H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3122) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2324 mssecsvc.exe
2572 mssecsvc.exe
2684 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2324	mssecsvc.exe
2572	mssecsvc.exe
2684	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A334E054-6092-4D77-8C18-BEB364DDB348}	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A334E054-6092-4D77-8C18-BEB364DDB348}\WpadDecisionTime = 4066551fb2a1da01	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-d1-d0-61-ff-e9\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ee000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A334E054-6092-4D77-8C18-BEB364DDB348}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-d1-d0-61-ff-e9\WpadDecisionTime = 4066551fb2a1da01	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-d1-d0-61-ff-e9\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A334E054-6092-4D77-8C18-BEB364DDB348}\WpadDecision = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A334E054-6092-4D77-8C18-BEB364DDB348}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e2-d1-d0-61-ff-e9	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A334E054-6092-4D77-8C18-BEB364DDB348}\e2-d1-d0-61-ff-e9	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2188 wrote to memory of 1508	2188	rundll32.exe	rundll32.exe
PID 2188 wrote to memory of 1508	2188	rundll32.exe	rundll32.exe
PID 2188 wrote to memory of 1508	2188	rundll32.exe	rundll32.exe
PID 2188 wrote to memory of 1508	2188	rundll32.exe	rundll32.exe
PID 2188 wrote to memory of 1508	2188	rundll32.exe	rundll32.exe
PID 2188 wrote to memory of 1508	2188	rundll32.exe	rundll32.exe
PID 2188 wrote to memory of 1508	2188	rundll32.exe	rundll32.exe
PID 1508 wrote to memory of 2324	1508	rundll32.exe	mssecsvc.exe
PID 1508 wrote to memory of 2324	1508	rundll32.exe	mssecsvc.exe
PID 1508 wrote to memory of 2324	1508	rundll32.exe	mssecsvc.exe
PID 1508 wrote to memory of 2324	1508	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\27b1909032fd61c8538946b80e1196d7_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\27b1909032fd61c8538946b80e1196d7_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1508

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2324

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2684

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
Filesize
1.2MB

MD5
615e2c68f8b0de0e118a9e5f518941a1

SHA1
7b94340413840b3d7de59e04e9c131e0c176bcfb

SHA256
5c373db550f963bb8e68e5751a06b85bd383b08d49c70a80543c679095b2f4ce

SHA512
2a53e10f1e06a78fc5b7eba2ec7233e028cfa3ea71c323ee03cf16b57efa7bc49a9bda7b54fcc4b312692a4e741bf8145930f0b4d198ecadc755d9c76facadab

Download Submit
C:\Windows\mssecsvc.exe
Filesize
2.8MB

MD5
cabe6ebf0067d10a90a30dc7b7d4fec1

SHA1
52b9e021c76846116c36c91e4ca71097929ea80f

SHA256
17f11413a86cc796d651da1900f78a065d5890e409bf14e803b184177e517fbd

SHA512
1b417d64a76873797fb226876cee347cee499fbbf9b62eade477bec8be3f879680d8d2d49442bf55c7f9b715cffb9eddd16e2cb1c9329f379e6d3d5a63888b45

Download Submit
C:\Windows\mssecsvc.exe
Filesize
2.1MB

MD5
74cc67bfc86062dd09b0ad453b5716c9

SHA1
cff6e310367f9633e0fb4c9077d6a498d6feaf25

SHA256
fcd25a76981f1acca88f6f08de3a5be0eff4bf6509c8fbaa399e17266d14b048

SHA512
c977ae466a1aa401b02b28dac9ad4b52ab34e7efb8ec7ae4225374b0ea773559411e99205d65a4e9c0ae8250ed871bc7f9590808e5f7402c5d3242b8cd49ef1c

Download Submit
C:\Windows\tasksche.exe
Filesize
1.8MB

MD5
e4c0c28020b03247f63899ca1e676218

SHA1
379fc44474382b54b1799b51486d0ffa64dfdc90

SHA256
50ac87271c54af60f8c1e15d103e8e657cf63c1813c1e75670ef833268588fe3

SHA512
bb903a88eec5323dfa35d652c953e0fc53df7dd73852da6c0d955747e5d8aac7f0bf898fe0d75e5d04bcd5fb5ae8ab31f7e969d27f014f66018e654b80fcc5a9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads